Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find out the GB/Day of data ingestion not using license data query?

scottj1y
Path Finder
‎07-11-2023 10:47 AM

Hi, I've been trying to piece together a query that a power user could run that could report the GB/Day of data indexed for a particular index without having to access the license usage data (which a power user wouldn't have access to).

 

I've been trying to leverage the dashboards in the Monitoring app but nothing seems to be quite what I need.  I'd like to get the deployment wide GB/day indexed for a single index which seems easy but so far I haven't been able to crack it.

 

Any suggestions?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

meetmshah
Contributor
‎07-12-2023 12:15 PM

In any case, power user won't have access to the _internal index. You can either calculate the usage based on individual index like " | eval event_size=if(isnotnull(len(_raw)), len(_raw), 0) | stats sum(event_size) as total_bytes by sourcetype | eval total_gb=round(total_bytes/1024/1024/1024, 3)" 

OR

Create a saved search through the admin user which updates the lookup (or summary index) with ingestion details and let power users access that lookup / summary index for Dashboard panels.

 

The last option would be easy to manage and suggested.

 

Please accept the answer if that helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scottj1y
Path Finder
‎07-12-2023 12:34 PM

Let me check that out and I will mark it gratefully.  😀

0 Karma
Reply
Solved! Jump to solution
Solution

meetmshah
Contributor
‎07-12-2023 12:15 PM

In any case, power user won't have access to the _internal index. You can either calculate the usage based on individual index like " | eval event_size=if(isnotnull(len(_raw)), len(_raw), 0) | stats sum(event_size) as total_bytes by sourcetype | eval total_gb=round(total_bytes/1024/1024/1024, 3)" 

OR

Create a saved search through the admin user which updates the lookup (or summary index) with ingestion details and let power users access that lookup / summary index for Dashboard panels.

 

The last option would be easy to manage and suggested.

 

Please accept the answer if that helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...